| Message ID | 20230607142150.18407-2-adolf.belka@ipfire.org |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4QbqKl0Jd2z3wgN for <patchwork@web04.haj.ipfire.org>; Wed, 7 Jun 2023 14:22:03 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4QbqKf3Ncjz1nk; Wed, 7 Jun 2023 14:21:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4QbqKd55KJz30K3; Wed, 7 Jun 2023 14:21:57 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4QbqKc6fYCz2xtr for <development@lists.ipfire.org>; Wed, 7 Jun 2023 14:21:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4QbqKc4Knsz1F4; Wed, 7 Jun 2023 14:21:56 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1686147716; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=F40WIzC00i+1d7h9QO8YkxIvU4CVnVQmW7jGaUrYiLk=; b=A3cWDIdNi1vqUWYuRhAfnUuupb87zQjefD+sZTUN/QIioSQwP17kdf3+WQyvKn24zkr2tI fv/g2bvsaYTVXaCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1686147716; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=F40WIzC00i+1d7h9QO8YkxIvU4CVnVQmW7jGaUrYiLk=; b=sYwOcJri2jLIApBN5Up4GHgKFTSPkBS7Y7dxfWzI2uW7xPoVQInrGVR2ncJu5Rum3LMyQR HjS6FEoWAw1EP618DRwWnsIjbfOebgIfmDIbVR4cjiXFC2E878+R0FDaKwK/QddG4wajJU Nd5PKXIZ6jk7n0HtPjBDFdGK1MIePeFQpN00DAg8KLZCS5nteplaqtpOM5WnjjpawIDue/ 4kmQRTcYHhP9AiJO5KRnDOeOEe9lI/u4rfJk5h+giPKTcfUP+PwtAR2n0FSOyjkmvk4PMn A/FpUIyIsbeLMPMqrkov982TxwgASAdejZQUJp+3RjIqgoaAa15lxgLKyVyO+w== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 2/3] backup.pl: Remove the previous code for adding legacty provider to n2n Date: Wed, 7 Jun 2023 16:21:49 +0200 Message-Id: <20230607142150.18407-2-adolf.belka@ipfire.org> In-Reply-To: <20230607142150.18407-1-adolf.belka@ipfire.org> References: <20230607142150.18407-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
[1/3] ovpnmain.cgi: Updated fix for Bug#13137
|
|
Commit Message
Adolf Belka
June 7, 2023, 2:21 p.m. UTC
- This code is no longer needed with the code in the ovpnmain.cgi patch in this patch set. Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> --- config/backup/backup.pl | 15 --------------- 1 file changed, 15 deletions(-)
Comments
I did not merge this, as I believe we need this, because: We won’t rewrite the OpenVPN configuration files on update, so it might be a good idea to just add the line and if someone edits the connection it might be removed. That should work I believe and -legacy should not have any side effects when enabled but not needed. Best, -Michael > On 7 Jun 2023, at 15:21, Adolf Belka <adolf.belka@ipfire.org> wrote: > > - This code is no longer needed with the code in the ovpnmain.cgi patch in this patch set. > > Tested-by: Adolf Belka <adolf.belka@ipfire.org> > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > config/backup/backup.pl | 15 --------------- > 1 file changed, 15 deletions(-) > > diff --git a/config/backup/backup.pl b/config/backup/backup.pl > index 8d990c0f1..60138a58a 100644 > --- a/config/backup/backup.pl > +++ b/config/backup/backup.pl > @@ -190,21 +190,6 @@ restore_backup() { > # Update OpenVPN CRL > /etc/fcron.daily/openvpn-crl-updater > > - # Update OpenVPN N2N Client Configs > - ## Add providers legacy default line to n2n client config files > - # Check if ovpnconfig exists and is not empty > - if [ -s /var/ipfire/ovpn/ovpnconfig ]; then > - # Identify all n2n connections > - for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do > - # Add the legacy option to all N2N client conf files if it does not already exist > - if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then > - if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then > - echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf > - fi > - fi > - done > - fi > - > return 0 > } > > -- > 2.40.1 >
Hi Michael, On 10/06/2023 12:16, Michael Tremer wrote: > I did not merge this, as I believe we need this, because: > > We won’t rewrite the OpenVPN configuration files on update, so it might be a good idea to just add the line and if someone edits the connection it might be removed. The code in the backup.pl put the line into the config irrespective of the certificate being legacy or not. With the ovpnmain.cgi code patch of this patch set, it now only adds the providers legacy default to the config file if the cert is legacy when downloading the connection set. This is now done for both n2n and roadwarrior connection sets. > > That should work I believe and -legacy should not have any side effects when enabled but not needed. That is something I have not tested out but I think you are correct, it shouldn't have any side affects. I think it is good to go now and I can always do any additional minor tunings later in CU176 and onwards, otherwise we will be here for ever. Regards, Adolf. > > Best, > -Michael > >> On 7 Jun 2023, at 15:21, Adolf Belka <adolf.belka@ipfire.org> wrote: >> >> - This code is no longer needed with the code in the ovpnmain.cgi patch in this patch set. >> >> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >> --- >> config/backup/backup.pl | 15 --------------- >> 1 file changed, 15 deletions(-) >> >> diff --git a/config/backup/backup.pl b/config/backup/backup.pl >> index 8d990c0f1..60138a58a 100644 >> --- a/config/backup/backup.pl >> +++ b/config/backup/backup.pl >> @@ -190,21 +190,6 @@ restore_backup() { >> # Update OpenVPN CRL >> /etc/fcron.daily/openvpn-crl-updater >> >> - # Update OpenVPN N2N Client Configs >> - ## Add providers legacy default line to n2n client config files >> - # Check if ovpnconfig exists and is not empty >> - if [ -s /var/ipfire/ovpn/ovpnconfig ]; then >> - # Identify all n2n connections >> - for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do >> - # Add the legacy option to all N2N client conf files if it does not already exist >> - if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then >> - if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then >> - echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf >> - fi >> - fi >> - done >> - fi >> - >> return 0 >> } >> >> -- >> 2.40.1 >> >
Hello, > On 10 Jun 2023, at 12:16, Adolf Belka <adolf.belka@ipfire.org> wrote: > > Hi Michael, > > On 10/06/2023 12:16, Michael Tremer wrote: >> I did not merge this, as I believe we need this, because: >> We won’t rewrite the OpenVPN configuration files on update, so it might be a good idea to just add the line and if someone edits the connection it might be removed. > The code in the backup.pl put the line into the config irrespective of the certificate being legacy or not. > > With the ovpnmain.cgi code patch of this patch set, it now only adds the providers legacy default to the config file if the cert is legacy when downloading the connection set. This is now done for both n2n and roadwarrior connection sets. Yes, this is true, but we won’t run the CGI during the update. Any connections that have legacy certificates won’t work after installing the new version of OpenSSL. So we need the legacy provider enabled (just to be safe). >> That should work I believe and -legacy should not have any side effects when enabled but not needed. > That is something I have not tested out but I think you are correct, it shouldn't have any side affects. > > I think it is good to go now and I can always do any additional minor tunings later in CU176 and onwards, otherwise we will be here for ever. I would rather like to get it right than being fast, but at this point I don’t know what else we can do. So *fingers crossed*. Let’s release either tomorrow or Monday. Depending on how much I am going to enjoy the nice weather this weekend :) -Michael > > Regards, > > Adolf. >> Best, >> -Michael >>> On 7 Jun 2023, at 15:21, Adolf Belka <adolf.belka@ipfire.org> wrote: >>> >>> - This code is no longer needed with the code in the ovpnmain.cgi patch in this patch set. >>> >>> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >>> --- >>> config/backup/backup.pl | 15 --------------- >>> 1 file changed, 15 deletions(-) >>> >>> diff --git a/config/backup/backup.pl b/config/backup/backup.pl >>> index 8d990c0f1..60138a58a 100644 >>> --- a/config/backup/backup.pl >>> +++ b/config/backup/backup.pl >>> @@ -190,21 +190,6 @@ restore_backup() { >>> # Update OpenVPN CRL >>> /etc/fcron.daily/openvpn-crl-updater >>> >>> - # Update OpenVPN N2N Client Configs >>> - ## Add providers legacy default line to n2n client config files >>> - # Check if ovpnconfig exists and is not empty >>> - if [ -s /var/ipfire/ovpn/ovpnconfig ]; then >>> - # Identify all n2n connections >>> - for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do >>> - # Add the legacy option to all N2N client conf files if it does not already exist >>> - if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then >>> - if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then >>> - echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf >>> - fi >>> - fi >>> - done >>> - fi >>> - >>> return 0 >>> } >>> >>> -- >>> 2.40.1 >>> > > -- > Sent from my laptop
Hi Michael, On 10/06/2023 13:28, Michael Tremer wrote: > Hello, > >> On 10 Jun 2023, at 12:16, Adolf Belka <adolf.belka@ipfire.org> wrote: >> >> Hi Michael, >> >> On 10/06/2023 12:16, Michael Tremer wrote: >>> I did not merge this, as I believe we need this, because: >>> We won’t rewrite the OpenVPN configuration files on update, so it might be a good idea to just add the line and if someone edits the connection it might be removed. >> The code in the backup.pl put the line into the config irrespective of the certificate being legacy or not. >> >> With the ovpnmain.cgi code patch of this patch set, it now only adds the providers legacy default to the config file if the cert is legacy when downloading the connection set. This is now done for both n2n and roadwarrior connection sets. > > Yes, this is true, but we won’t run the CGI during the update. > > Any connections that have legacy certificates won’t work after installing the new version of OpenSSL. So we need the legacy provider enabled (just to be safe). Okay, understand where you are coming from.Good catch. I have also now tested out a n2n connection created with openssl-3.x with and without the providers legacy default line in the client conf. Can confirm that it works in both cases, so having the legacy line added dose not cause any problems with the openssl-3.x n2n client connection working. > >>> That should work I believe and -legacy should not have any side effects when enabled but not needed. >> That is something I have not tested out but I think you are correct, it shouldn't have any side affects. >> >> I think it is good to go now and I can always do any additional minor tunings later in CU176 and onwards, otherwise we will be here for ever. > > I would rather like to get it right than being fast, but at this point I don’t know what else we can do. So *fingers crossed*. > > Let’s release either tomorrow or Monday. Depending on how much I am going to enjoy the nice weather this weekend :) Enjoy the nice weather. Regards, Adolf. > > -Michael > >> >> Regards, >> >> Adolf. >>> Best, >>> -Michael >>>> On 7 Jun 2023, at 15:21, Adolf Belka <adolf.belka@ipfire.org> wrote: >>>> >>>> - This code is no longer needed with the code in the ovpnmain.cgi patch in this patch set. >>>> >>>> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >>>> --- >>>> config/backup/backup.pl | 15 --------------- >>>> 1 file changed, 15 deletions(-) >>>> >>>> diff --git a/config/backup/backup.pl b/config/backup/backup.pl >>>> index 8d990c0f1..60138a58a 100644 >>>> --- a/config/backup/backup.pl >>>> +++ b/config/backup/backup.pl >>>> @@ -190,21 +190,6 @@ restore_backup() { >>>> # Update OpenVPN CRL >>>> /etc/fcron.daily/openvpn-crl-updater >>>> >>>> - # Update OpenVPN N2N Client Configs >>>> - ## Add providers legacy default line to n2n client config files >>>> - # Check if ovpnconfig exists and is not empty >>>> - if [ -s /var/ipfire/ovpn/ovpnconfig ]; then >>>> - # Identify all n2n connections >>>> - for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do >>>> - # Add the legacy option to all N2N client conf files if it does not already exist >>>> - if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then >>>> - if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then >>>> - echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf >>>> - fi >>>> - fi >>>> - done >>>> - fi >>>> - >>>> return 0 >>>> } >>>> >>>> -- >>>> 2.40.1 >>>> >> >> -- >> Sent from my laptop > >
Thanks for confirming. I will schedule the release for tomorrow then as there hasn’t been any issues any more. Thanks to everyone who helped to *finally* get this over the line and I will keep my fingers crossed that we found all issues. Best, -Michael > On 11 Jun 2023, at 14:17, Adolf Belka <adolf.belka@ipfire.org> wrote: > > Hi Michael, > >> On 10/06/2023 13:28, Michael Tremer wrote: >> Hello, >>>> On 10 Jun 2023, at 12:16, Adolf Belka <adolf.belka@ipfire.org> wrote: >>> >>> Hi Michael, >>> >>> On 10/06/2023 12:16, Michael Tremer wrote: >>>> I did not merge this, as I believe we need this, because: >>>> We won’t rewrite the OpenVPN configuration files on update, so it might be a good idea to just add the line and if someone edits the connection it might be removed. >>> The code in the backup.pl put the line into the config irrespective of the certificate being legacy or not. >>> >>> With the ovpnmain.cgi code patch of this patch set, it now only adds the providers legacy default to the config file if the cert is legacy when downloading the connection set. This is now done for both n2n and roadwarrior connection sets. >> Yes, this is true, but we won’t run the CGI during the update. >> Any connections that have legacy certificates won’t work after installing the new version of OpenSSL. So we need the legacy provider enabled (just to be safe). > > Okay, understand where you are coming from.Good catch. > > I have also now tested out a n2n connection created with openssl-3.x with and without the providers legacy default line in the client conf. > Can confirm that it works in both cases, so having the legacy line added dose not cause any problems with the openssl-3.x n2n client connection working. > >>>> That should work I believe and -legacy should not have any side effects when enabled but not needed. >>> That is something I have not tested out but I think you are correct, it shouldn't have any side affects. >>> >>> I think it is good to go now and I can always do any additional minor tunings later in CU176 and onwards, otherwise we will be here for ever. >> I would rather like to get it right than being fast, but at this point I don’t know what else we can do. So *fingers crossed*. >> Let’s release either tomorrow or Monday. Depending on how much I am going to enjoy the nice weather this weekend :) > > Enjoy the nice weather. > > Regards, > Adolf. > >> -Michael >>> >>> Regards, >>> >>> Adolf. >>>> Best, >>>> -Michael >>>>> On 7 Jun 2023, at 15:21, Adolf Belka <adolf.belka@ipfire.org> wrote: >>>>> >>>>> - This code is no longer needed with the code in the ovpnmain.cgi patch in this patch set. >>>>> >>>>> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >>>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >>>>> --- >>>>> config/backup/backup.pl | 15 --------------- >>>>> 1 file changed, 15 deletions(-) >>>>> >>>>> diff --git a/config/backup/backup.pl b/config/backup/backup.pl >>>>> index 8d990c0f1..60138a58a 100644 >>>>> --- a/config/backup/backup.pl >>>>> +++ b/config/backup/backup.pl >>>>> @@ -190,21 +190,6 @@ restore_backup() { >>>>> # Update OpenVPN CRL >>>>> /etc/fcron.daily/openvpn-crl-updater >>>>> >>>>> - # Update OpenVPN N2N Client Configs >>>>> - ## Add providers legacy default line to n2n client config files >>>>> - # Check if ovpnconfig exists and is not empty >>>>> - if [ -s /var/ipfire/ovpn/ovpnconfig ]; then >>>>> - # Identify all n2n connections >>>>> - for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do >>>>> - # Add the legacy option to all N2N client conf files if it does not already exist >>>>> - if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then >>>>> - if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then >>>>> - echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf >>>>> - fi >>>>> - fi >>>>> - done >>>>> - fi >>>>> - >>>>> return 0 >>>>> } >>>>> >>>>> -- >>>>> 2.40.1 >>>>> >>> >>> -- >>> Sent from my laptop
diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 8d990c0f1..60138a58a 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -190,21 +190,6 @@ restore_backup() { # Update OpenVPN CRL /etc/fcron.daily/openvpn-crl-updater - # Update OpenVPN N2N Client Configs - ## Add providers legacy default line to n2n client config files - # Check if ovpnconfig exists and is not empty - if [ -s /var/ipfire/ovpn/ovpnconfig ]; then - # Identify all n2n connections - for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do - # Add the legacy option to all N2N client conf files if it does not already exist - if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then - if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then - echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf - fi - fi - done - fi - return 0 }